Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agrius Group Webshell File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|"; content:"name|3d 22|Fhq|22 3b 20|filename|3d 22|"; distance:0; fast_pattern; content:"name|3d 22|RvOp|22 0d 0a 0d 0a|Upload|0d 0a|"; distance:0; reference:url,unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/; classtype:trojan-activity; sid:2049904; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2024_01_03, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_03; target:dest_ip;)